Ability to specify allowed ciphersuites based on the protocol version.
The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int **' and is now malloced in ssl_init() and freed in
ssl_free().
The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 9746e27..d5e8e1b 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -491,7 +491,7 @@
int verify_result; /*!< verification result */
int disable_renegotiation; /*!< enable/disable renegotiation */
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
- const int *ciphersuites; /*!< allowed ciphersuites */
+ const int **ciphersuites; /*!< allowed ciphersuites / version */
#if defined(POLARSSL_DHM_C)
mpi dhm_P; /*!< prime modulus for DHM */
@@ -718,6 +718,7 @@
/**
* \brief Set the list of allowed ciphersuites
+ * (Overrides all version specific lists)
*
* \param ssl SSL context
* \param ciphersuites 0-terminated list of allowed ciphersuites
@@ -725,6 +726,23 @@
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );
/**
+ * \brief Set the list of allowed ciphersuites for a specific
+ * version of the protocol.
+ * (Only useful on the server side)
+ *
+ * \param ssl SSL context
+ * \param ciphersuites 0-terminated list of allowed ciphersuites
+ * \param major Major version number (only SSL_MAJOR_VERSION_3
+ * supported)
+ * \param minor Minor version number (SSL_MINOR_VERSION_0,
+ * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
+ * SSL_MINOR_VERSION_3 supported)
+ */
+void ssl_set_ciphersuites_for_version( ssl_context *ssl,
+ const int *ciphersuites,
+ int major, int minor );
+
+/**
* \brief Set the data required to verify peer certificate
*
* \param ssl SSL context